“ikee” iPhone Worm Progeny Not So Harmless

Earlier this week, we reported that the first iPhone worm had been created. It was called “ikee,” and all it did was change the default wallpaper on devices to an image of Rick Astley with “ikee is never going to give you up” printed across the top. It was relatively harmless, if annoying, and the hacker responsible claimed that it was more of a warning than anything else.

Hopefully many heeded that warning, since now a new virus has surfaced that uses the same M.O. as ikee, but that has a much more malicious intent and effect. Specifically, the new malware mines personal data from your device, using the very same exploit ikee revealed earlier in the week.

Advertisement

The new worm, dubbed “iPhone/Privacy.A” by digital security firm Intego, affects only jailbroken iPhones, and grabs things from your device like address book contacts, text messages, photos, music, video, calendar entries and email messages. Basically, almost anywhere it can look for sensitive data, it will. The virus doesn’t seem to be able to access information stored by other applications on your iPhone, like password managers, but if you’re affected, the only safe course of action is a full wipe and restore.

Theoretically, according to iPhone security researcher Charlie Miller speaking to Computerworld, attacks based on the same exploit could do more than just mine data. Running up your phone bill, sending out bulk text messages and spamming your contacts are all well within the realm of possibility. Miller goes on to describe how easy it would be for a hacker to infect a device:

This could easily be installed on a computer on display in a retail store, which could then scan all iPhones that pass within the reach of its network. Or a hacker could sit in an Internet café and let his computer scan all iPhones that come within the range of the Wi-Fi network in search of data.

In order to secure your device against this kind of attack, there are a few options. First, change the default SSH password if you haven’t already. So far, that appears to be the easiest way to foil attempts to infiltrate your jailbroken device. The best way to prevent this and any kind of future attack along the same lines, however, is to not jailbreak your device in the first place, or to restore it to factory settings if you’ve already jailbroken. Of course, for many who use their devices with carriers who don’t officially offer the iPhone, that isn’t an option.

Miller suggested that Apple (s aapl) may want to consider re-engineering its security measures to account for jailbroken devices, but as that would mean tacitly acknowledging and even accepting a practice it stridently disapproves of, I think the best bet for jailbreakers is just to shut down all SSH access, if possible.

1. Many people with jailbroken iPhones did not do the jailbreak themselves. They have no idea if SSH is enabled having probably never heard of SSH. And they have no idea how to set the root password. They went to a friend or a vendor and had their iPhone jailbroken so they could modify the UI or pirate apps from app store. They are not technically inclined.

2. Even if you close off this security hole, you are still more vulnerable than the population of un-jailbroken iPhones. As Dino Dai Zovi who is a security researcher says (via Daring Fireball) , “Also, remember that jailbreaking your iPhone disables code signing enforcement. That’Â€Â™s the thing that makes exploits so hard on iPhone.” You are basically opening up a potential security hole when you jailbreak. No one can predict if more exploits are coming but given the history of malware, it is hard to believe that it won’t happen.

1. SSH is not something a normal jailbreaker would install these days. In the early days of jailbreaking, yes, you’d need SSH to get apps onto the thing. Nowadays, almost nobody bothers with it. blackra1n and the like install Cydia, which gives you access to loads of apps. SSH is entirely not required.

2. Jailbreaking disables code signing enforcement, yes, but that isn’t what makes the device “secure”. That’s what makes it “controlled” by Apple. That is all it really does. An exploit could feasibly exist in any application, signed or not, that would allow for remote arbitrary code execution. Apple is signing based on their terms of service and their own guidelines. They’re not security auditing every single piece of code that is in an iPhone application.

It’s only a matter of time before somebody discovers and uses a vulnerability in an AppStore app, and then being jailbroken or not won’t make any difference. The only difference will be whether you have the app in question or not.

Simply jailbreaking doesn’t open your phone to these attacks. Only deliberately careless jailbreakers are at risk. SSH access isn’t automatic; you have to install it yourself in order to be vulnerable, and that package clearly warns users to change the password. Furthermore, SSH access is easily toggled on and off with SBSettings. It’s a piece of cake. If you’re going to take 4 or 5 steps in order to open up vulnerability, you’d have to be silly not to take a couple more and close it.